Update dependency stylelint to v15 [SECURITY] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
stylelint (source)	14.11.0 -> 15.10.1

GitHub Vulnerability Alerts

GHSA-f7xj-rg7h-mc87

Summary

Our meow dependency (which we use for our CLI) depended on semver@5.7.1 . A vulnerability in this version of semver was recently identified and surfaced by npm audit:

Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw

Details

Original post by the reporter:

"my npm audit show the report

semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
No fix available

And my dependencies tree for semver show your package

├─┬ stylelint@15.9.0
│ └─┬ meow@9.0.0
│ └─┬ read-pkg-up@7.0.1
│ └─┬ read-pkg@5.2.0
│ └─┬ normalize-package-data@2.5.0
│ └── semver@5.7.1 deduped

I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."

Update your package to use the 'meow' version >=10"

PoC

N/A

Impact

We anticipate the impact to be low as Stylelint is a dev tool and meow is only used on the CLI pathway.

---

⬇️ EDITED AFTER PUBLISHED ⬇️

Security fix backported to older semver versions

The same security fix has been backported to older semver versions of 5.x and 6.x. See the CVE-2022-25883 details.

So, you can fix this vulnerability by just updating semver in your project's dependency tree, instead of updating stylelint. For details, see the example:

package.json:

{
  "dependencies": {
    "stylelint": "15.10.0"
  }
}

Run npm audit (here is no alert for semver):

$ npm ci
...

$ npm audit
...
stylelint  8.0.0 - 15.10.0
Stylelint has vulnerability in semver dependency - https://github.com/advisories/GHSA-f7xj-rg7h-mc87
fix available via `npm audit fix --force`
Will install stylelint@15.10.1, which is outside the stated dependency range
node_modules/stylelint

1 low severity vulnerability
...

$ npm ls semver
...
└─┬ stylelint@15.10.0
  └─┬ meow@9.0.0
    ├─┬ normalize-package-data@3.0.3
    │ └── semver@7.5.4
    └─┬ read-pkg-up@7.0.1
      └─┬ read-pkg@5.2.0
        └─┬ normalize-package-data@2.5.0
          └── semver@5.7.2

---

Release Notes

stylelint/stylelint (stylelint)

v15.10.1

Compare Source

• Security: fix for semver vulnerability (#​7043) (@​romainmenke).
• Fixed: invalid option regression on Windows 10 (#​7043) (@​romainmenke).

v15.10.0

Compare Source

• Added: media-query-no-invalid (#​6963) (@​romainmenke).
• Added: support for JS objects with extends config option (#​6998) (@​fpetrakov).
• Fixed: inconsistent errored properties in stylelint.lint() return value (#​6983) (@​ybiquitous).
• Fixed: {selector,value}-no-vendor-prefix performance (#​7016) (@​jeddy3).
• Fixed: custom-property-pattern performance (#​7009) (@​jeddy3).
• Fixed: function-linear-gradient-no-nonstandard-direction false positives for <color-interpolation-method> (#​6987) (@​romainmenke).
• Fixed: function-name-case performance (#​7010) (@​jeddy3).
• Fixed: function-no-unknown performance (#​7004) (@​jeddy3).
• Fixed: function-url-quotes performance (#​7011) (@​jeddy3).
• Fixed: hue-degree-notation false negatives for oklch (#​7015) (@​romainmenke).
• Fixed: hue-degree-notation performance (#​7012) (@​jeddy3).
• Fixed: media-feature-name-no-unknown false positives for environment-blending, nav-controls, prefers-reduced-data, and video-color-gamut (#​6978) (@​romainmenke).
• Fixed: media-feature-name-no-vendor-prefix positions for *-device-pixel-ratio (#​6977) (@​romainmenke).
• Fixed: no-descending-specificity performance (#​7026) (@​romainmenke).
• Fixed: no-duplicate-at-import-rules false negatives for imports with supports and layer conditions (#​7001) (@​romainmenke).
• Fixed: selector-anb-no-unmatchable performance (#​7042) (@​romainmenke).
• Fixed: selector-id-pattern performance (#​7013) (@​jeddy3).
• Fixed: selector-pseudo-class-no-unknown false negatives for pseudo-elements with matching names (#​6964) (@​Mouvedia).
• Fixed: selector-pseudo-element-no-unknown performance (#​7007) (@​jeddy3).
• Fixed: selector-type-case performance (#​7041) (@​romainmenke).
• Fixed: selector-type-no-unknown performance (#​7027) (@​romainmenke).
• Fixed: unit-disallowed-list false negatives with percentages (#​7018) (@​romainmenke).

v15.9.0

Compare Source

• Added: insideFunctions: {"function": int} to number-max-precision (#​6932) (@​romainmenke).
• Fixed: declaration-block-no-redundant-longhand-properties autofix for border-radius shorthand (#​6958) (@​mattxwang).
• Fixed: declaration-block-no-redundant-longhand-properties autofix for border-width shorthand (#​6956) (@​mattxwang).
• Fixed: declaration-block-no-redundant-longhand-properties autofix for grid-column and grid-row (#​6957) (@​mattxwang).

v15.8.0

Compare Source

• Added: media-feature-name-value-no-unknown (#​6906) (@​romainmenke).
• Added: support for .mjs configuration files (#​6910) (@​ybiquitous).
• Fixed: --print-config description in CLI help (#​6914) (@​ybiquitous).
• Fixed: allowEmptyInput option in configuration files (#​6929) (@​ybiquitous).
• Fixed: custom-property-no-missing-var-function performance (#​6922) (@​romainmenke).
• Fixed: function-calc-no-unspaced-operator performance (#​6923) (@​romainmenke).
• Fixed: function-linear-gradient-no-nonstandard-direction performance (#​6924) (@​romainmenke).
• Fixed: function-no-unknown false positives for SCSS functions with namespace (#​6921) (@​romainmenke).
• Fixed: max-nesting-depth error for at-rules in Sass syntax (#​6909) (@​ybiquitous).
• Fixed: selector-anb-no-unmatchable performance (#​6925) (@​romainmenke).
• Fixed: remove v8-compile-cache dependency (#​6907) (@​ybiquitous).

v15.7.0

Compare Source

• Added: splitList: boolean to selector-nested-pattern (#​6896) (@​is2ei).
• Fixed: unit-no-unknown false positives for unicode-range descriptors (#​6892) (@​romainmenke).
• Fixed: segmentation fault errors for Cosmiconfig 8.2 (#​6902) (@​romainmenke).

v15.6.3

Compare Source

• Fixed: alpha-value-notation false positives for color() (#​6885) (@​romainmenke).
• Fixed: alpha-value-notation performance with improved benchmark script (#​6864) (@​romainmenke).
• Fixed: at-rule-property-required-list performance (#​6865) (@​romainmenke).
• Fixed: color-* performance (#​6868) (@​romainmenke).
• Fixed: length-zero-no-unit false positives on new math functions (#​6871) (@​romainmenke).
• Fixed: string formatter for unexpected truncation on non-ASCII characters (#​6861) (@​Max10240).
• Fixed: unit-no-unknown false positives for the second and subsequent image-set() with x descriptor (#​6879) (@​romainmenke).

v15.6.2

Compare Source

• Fixed: alpha-value-notation false negatives for oklab(), oklch(), and color() (#​6844) (@​romainmenke).
• Fixed: declaration-block-no-redundant-longhand-properties autofix with cubic-bezier() (#​6841) (@​romainmenke).
• Fixed: function-no-unknown false positives for unspaced operators against nested brackets (#​6842) (@​romainmenke).
• Fixed: function-url-quotes false positives for SCSS with() construct (#​6847) (@​ybiquitous).
• Fixed: media-feature-name-no-unknown false positives for not and or (#​6838) (@​romainmenke).

v15.6.1

Compare Source

• Fixed: declaration-block-no-redundant-longhand-properties autofix for transition (#​6815) (@​mattxwang).
• Fixed: github formatter for missing final newline (#​6822) (@​konomae).
• Fixed: selector-pseudo-class-no-unknown false positive for :modal (#​6811) (@​Yasir761).

v15.6.0

Compare Source

• Added: allowEmptyInput, cache, fix options to configuration object (#​6778) (@​mattxwang).
• Added: ignore: ["with-var-inside"] to color-function-notation (#​6802) (@​mattxwang).
• Fixed: declaration-block-no-duplicate-properties autofix for 3 or more duplicates (#​6801) (@​mattxwang).
• Fixed: declaration-block-no-duplicate-properties false positives with option ignore: ["consecutive-duplicates-with-different-syntaxes"] (#​6797) (@​romainmenke).
• Fixed: declaration-block-no-duplicate-properties syntax error (#​6792) (@​yoyo837).
• Fixed: declaration-block-no-redundant-longhand-properties autofix for grid-template (#​6777) (@​mattxwang).
• Fixed: function-url-quotes autofix for comments in SCSS function (#​6800) (@​ybiquitous).

v15.5.0

Compare Source

• Added: ignore: ["consecutive-duplicates-with-different-syntaxes"] to declaration-block-no-duplicate-properties (#​6772) (@​kimulaco).
• Added: ignoreProperties: [] to declaration-block-no-duplicate-custom-properties (#​6773) (@​mattxwang).
• Added: raw regex support to ignoreProperties for declaration-block-no-duplicate-properties (#​6764) (@​ybiquitous).
• Fixed: block-no-empty false positives with non-whitespace characters (#​6782) (@​ybiquitous).
• Fixed: color-function-notation false positives for namespaced imports (#​6774) (@​mattxwang).
• Fixed: custom-property-empty-line-before false positives for CSS-in-JS (#​6767) (@​ybiquitous).
• Fixed: media-feature-range-notation parse error (#​6760) (@​fpetrakov).
• Fixed: CLI help improvements (#​6783) (@​ybiquitous).

v15.4.0

Compare Source

• Added: --quiet-deprecation-warnings flag (#​6724) (@​mattxwang).
• Added: -c alias for --config (#​6720) (@​sidverma32).
• Added: media-feature-range-notation autofix (#​6742) (@​romainmenke).
• Added: no-unknown-custom-properties rule (#​6731) (@​jameschensmith).
• Fixed: function-url-quotes autofix for double-slash comments in SCSS maps (#​6745) (@​jgerigmeyer).
• Fixed: isPathIgnored() utility's performance (#​6728) (@​ybiquitous).
• Fixed: rule-selector-property-disallowed-list secondary options (#​6723) (@​mattxwang).
• Fixed: declaration-block-no-redundant-longhand-properties with basic keywords (#​6748) (@​mattxwang).
• Fixed: deprecation warnings for disabled rules (#​6747) (@​ybiquitous).

v15.3.0

Compare Source

• Added: configurationComment configuration property (#​6629) (@​ifitzpatrick).
• Added: selector-anb-no-unmatchable rule (#​6678) (@​mattxwang).
• Fixed: TypeScript error for CommonJS importing (#​6703) (@​remcohaszing).
• Fixed: *-no-redundant-* false negatives for inset shorthand (#​6699) (@​rayrw).
• Fixed: function-url-quotes autofix for multiple url() (#​6711) (@​ybiquitous).
• Fixed: value-keyword-case false positives for Level 4 system colours (#​6712) (@​thewilkybarkid).

v15.2.0

Compare Source

• Added: messageArgs to 76 rules (#​6589) (@​kizu).
• Fixed: TypeScript error to export Plugin and RuleContext (#​6664) (@​henryruhs).
• Fixed: overrides.extends order when including same rules (#​6660) (@​kuoruan).
• Fixed: annotation-no-unknown false positives for CSS-in-JS template literals (#​6666) (@​hudochenkov).
• Fixed: declaration-property-value-no-unknown false positives for at-rule descriptors (#​6669) (@​FloEdelmann).
• Fixed: declaration-property-value-no-unknown parse error for alpha(opacity=n) to report as violation (#​6650) (@​romainmenke).
• Fixed: function-name-case false positives for CSS-in-JS template literals (#​6666) (@​hudochenkov).
• Fixed: function-no-unknown false positives for CSS-in-JS template literals (#​6666) (@​hudochenkov).
• Fixed: unit-no-unknown false positives for CSS-in-JS template literals (#​6666) (@​hudochenkov).
• Fixed: value-keyword-case false positives for CSS-in-JS template literals (#​6666) (@​hudochenkov).

v15.1.0

Compare Source

• Added: declaration-block-no-redundant-longhand-properties autofix (#​6580) (@​mattxwang).
• Fixed: declaration-property-value-no-unknown false positives for env() (#​6646) (@​romainmenke).
• Fixed: function-calc-no-unspaced-operator TypeError on empty calc() (#​6634) (@​romainmenke).
• Fixed: inaccurate customSyntax inference (#​6645) (@​ybiquitous).

v15.0.0

Compare Source

Migrating to 15.0.0 guide.

• Removed: Node.js 12 support (#​6477) (@​ybiquitous). (BREAKING)
• Removed: support for processors (#​6479) (@​ybiquitous). (BREAKING)
• Removed: syntax option (#​6420) (@​fpetrakov). (BREAKING)
• Changed: extends in overrides to merge to be consistent with plugins behaviour (#​6380) (@​jasikpark). (BREAKING)
• Changed: type definitions to reorganize (#​6510) (@​ybiquitous). (BREAKING)
• Changed: type names to be more consistent (#​6503) (@​ybiquitous). (BREAKING)
• Deprecated: stylistic rules handled by Prettier (#​6504) (@​ybiquitous).
• Added: declaration-property-value-no-unknown rule (#​6511) (@​jeddy3).
• Added: media-feature-name-unit-allowed-list rule (#​6550) (@​mattxwang).
• Added: function-url-quotes autofix (#​6558) (@​mattxwang).
• Added: ignore: ["custom-elements"] to selector-max-type (#​6588) (@​muddv).
• Added: ignoreFunctions: [] to unit-disallowed-list (#​6592) (@​mattxwang).
• Added: deprecated rule warnings (#​6561) (@​ybiquitous).
• Added: message arguments to declaration-property-unit-allowed-list (#​6570) (@​mattxwang).
• Fixed: overrides.files in config to allow basename glob patterns (#​6547) (@​ybiquitous).
• Fixed: at-rule-no-unknown false positives for @scroll-timeline (#​6554) (@​mattxwang).
• Fixed: function-no-unknown false positives for interpolation and backticks in CSS-in-JS (#​6565) (@​hudochenkov).
• Fixed: keyframe-selector-notation false positives for named timeline ranges (#​6605) (@​kimulaco).
• Fixed: property-no-unknown false negatives for newer custom syntaxes (#​6553) (@​43081j).
• Fixed: selector-attribute-quotes false positives for "never" (#​6571) (@​mattxwang).
• Fixed: selector-not-notation autofix for "simple" option (#​6608) (@​Mouvedia).

v14.16.1

Compare Source

• Fixed: customSyntax resolution with configBasedir (#​6536) (@​ybiquitous).
• Fixed: declaration-block-no-duplicate-properties autofix for !important (#​6528) (@​sidx1024).
• Fixed: function-no-unknown false positives for scroll, -webkit-gradient, color-stop, from, and to (#​6539) (@​Mouvedia).
• Fixed: value-keyword-case false positives for mixed case ignoreFunctions option (#​6517) (@​kimulaco).
• Fixed: unexpected output in Node.js API lint result when any rule contains disableFix: true (#​6543) (@​adrianjost).

v14.16.0

Compare Source

• Added: media-feature-range-notation rule (#​6497) (@​jeddy3).
• Added: support for plugin objects as config values (#​6481) (@​phoenisx).
• Fixed: incorrect output by all formatters except for json (#​6480) (@​ybiquitous).

v14.15.0

Compare Source

• Added: --globby-options flag (#​6437) (@​sidverma32).
• Added: custom message formatting for at-rule-disallowed-list, declaration-property-unit-disallowed-list, declaration-property-value-disallowed-list, function-disallowed-list, and property-disallowed-list (#​6463) (@​chloerice).
• Added: support autofix with checkAgainstRule (#​6466) (@​aaronccasanova).
• Added: support for reporting with custom severity (#​6444) (@​aaronccasanova).
• Added: support to checkAgainstRule with custom rules (#​6460) (@​aaronccasanova).
• Fixed: tally output of string formatter colorized (#​6443) (@​ybiquitous).
• Fixed: usage of the import-lazy package to fit bundlers (#​6449) (@​phoenisx).

v14.14.1

Compare Source

• Fixed: declaration-block-no-redundant-longhand-properties false positives for inherit keyword (#​6419) (@​kimulaco).
• Fixed: shorthand-property-no-redundant-values message to be consistent (#​6417) (@​fpetrakov).
• Fixed: unit-no-unknown false positives for *vi & *vb viewport units (#​6428) (@​sidverma32).

v14.14.0

Compare Source

• Added: *-pattern custom message formatting (#​6391) (@​ybiquitous).
• Fixed: block-no-empty false positives for reportNeedlessDisables (#​6381) (@​ybiquitous).
• Fixed: printf-like formatting for custom messages (#​6389) (@​ybiquitous).
• Fixed: unit-no-unknown false positives for font-relative length units (#​6374) (@​ybiquitous).
• Fixed: false negatives on second run for cache and severity option (#​6384) (@​kimulaco).
• Fixed: TS compilation error due to needless file-entry-cache import (#​6393) (@​adidahiya).

v14.13.0

Compare Source

• Added: cacheStrategy option (#​6357) (@​kaorun343).
• Fixed: cache refresh when config is changed (#​6356) (@​kimulaco).
• Fixed: selector-pseudo-element-no-unknown false positives for ::highlight pseudo-element (#​6367) (@​jathak).

v14.12.1

Compare Source

• Fixed: font-weight-notation messages (#​6350) (@​ybiquitous).
• Fixed: type declarations for custom message arguments (#​6354) (@​stof).

v14.12.0

Compare Source

• Added: support for multiple --ignore-path flags (#​6345) (@​kimulaco).
• Added: experimental support for custom message arguments (#​6312) (@​ybiquitous).
• Added: declaration-block-no-duplicate-properties autofix (#​6296) (@​fpetrakov).
• Added: font-weight-notation autofix (#​6347) (@​ybiquitous).
• Added: ignore: ["inside-block"] and splitList to selector-disallowed-list (#​6334) (@​mattmanuel90).
• Added: regex support for ignorePseudoClasses option of selector-pseudo-class-no-unknown (#​6316) (@​ybiquitous).
• Added: regex support for ignorePseudoElements option of selector-pseudo-element-no-unknown (#​6317) (@​ybiquitous).
• Added: regex support for ignoreSelectors option of selector-no-vendor-prefix (#​6327) (@​ybiquitous).
• Added: regex support for ignoreTypes option of selector-type-case (#​6326) (@​ybiquitous).
• Fixed: *-no-unknown false positives for container queries (#​6318) (@​fpetrakov).
• Fixed: font-family-name-quotes false positives for interpolation and shorthand (#​6335) (@​kimulaco).
• Fixed: time-min-milliseconds incorrect location for matching violating times (#​6319) (@​kawaguchi1102).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

/usr/local/bin/docker: line 4: .: filename argument required
.: usage: . filename [arguments]
npm notice 
npm notice New major version of npm available! 8.19.4 -> 9.8.0
npm notice Changelog: <https://github.com/npm/cli/releases/tag/v9.8.0>
npm notice Run `npm install -g npm@9.8.0` to update!
npm notice 
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: grunt-stylelint@0.18.0
npm ERR! Found: stylelint@15.10.1
npm ERR! node_modules/stylelint
npm ERR!   dev stylelint@"15.10.1" from the root project
npm ERR!   peer stylelint@">=10.1.0" from stylelint-config-recommended@3.0.0
npm ERR!   node_modules/stylelint-config-recommended
npm ERR!     stylelint-config-recommended@"^3.0.0" from stylelint-config-recommended-scss@4.2.0
npm ERR!     node_modules/stylelint-config-recommended-scss
npm ERR!       stylelint-config-recommended-scss@"^4.2.0" from stylelint-config-wordpress@17.0.0
npm ERR!       node_modules/stylelint-config-wordpress
npm ERR!         dev stylelint-config-wordpress@"17.0.0" from the root project
npm ERR!     stylelint-config-recommended@"^3.0.0" from stylelint-config-wordpress@17.0.0
npm ERR!     node_modules/stylelint-config-wordpress
npm ERR!       dev stylelint-config-wordpress@"17.0.0" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer stylelint@"14.x" from grunt-stylelint@0.18.0
npm ERR! node_modules/grunt-stylelint
npm ERR!   dev grunt-stylelint@"0.18.0" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: stylelint@14.16.1
npm ERR! node_modules/stylelint
npm ERR!   peer stylelint@"14.x" from grunt-stylelint@0.18.0
npm ERR!   node_modules/grunt-stylelint
npm ERR!     dev grunt-stylelint@"0.18.0" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /tmp/worker/4348d9/030fe8/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/worker/4348d9/030fe8/cache/others/npm/_logs/2023-07-10T11_29_58_203Z-debug-0.log